[Samba] BDC Rejecting auth request from client + Windows 7

David Noriega tsk133 at my.utsa.edu
Mon Feb 11 09:52:48 MST 2013 

We are at a university and have no control over the network, thus I made
the BDC use a dynamic ip so its on the same subnet as the clients.

The PDC is running Samba v 3.5.10-125(Centos 6.3) and the BDC is
3.5.19-44(Centos 5.8)

Both servers use the same LDAP server.

pdbedit does show the same accounts on both servers.

Here is my smb.conf for the PDC:
[global]
        workgroup = XXXX
        netbios name = XXXX
        server string = PDC %v
        encrypt passwords = yes
        #enable privileges = yes
        passdb backend = ldapsam:ldap://x.x.x.x
        ldapsam:trusted = yes
        domain master = yes
        preferred master = yes
        local master = yes
        os level = 255
        dns proxy = yes
        wins support = yes
        name resolve order = host wins lmhosts bcast
        domain logons = yes
        client ntlmv2 auth = yes
        loglevel = 3
        log file = /var/log/samba/log.%m
        syslog = 0
        time server = yes
        ldap suffix = dc=x,dc=x,dc=x
        ldap user suffix = ou=people
        ldap group suffix = ou=group
        ldap machine suffix = ou=machines
        ldap idmap suffix = ou=Idmap
        ldap ssl = start tls
        ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
        logon path = \\%L\profiles\%U
        logon script = netlogon.bat
        time server = Yes
        deadtime = 10
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
       set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
       add machine script = /usr/sbin/smbldap-useradd -w "%u"
       case sensitive = No
       dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
       printcap name = /etc/printcap
       load printers = no
       interfaces = eth0
       bind interfaces only = yes

And for the BDC:
[global]
        workgroup = XXXX
        netbios name = BDC
        server string = BDC %v
        encrypt passwords = yes
        enable privileges = yes
        passdb backend = ldapsam:ldap://pavlov.cbi.utsa.edu
        ldapsam:trusted = yes
        domain master = no
        client ntlmv2 auth = yes
        local master = yes
        preferred master = yes
        os level = 50
        dns proxy = no
        wins server = x.x.x.x
        domain logons = yes
        loglevel = 3
        log file = /var/log/samba/log.%m
        syslog = 0
        time server = yes
        ldap suffix = dc=x,dc=x,dc=x
        ldap user suffix = ou=people
        ldap group suffix = ou=group
        ldap machine suffix = ou=machines
        ldap idmap suffix = ou=Idmap
        ldap ssl = start tls
        ldap admin dn = cn=samba,ou=DSA,dc=x,dc=x,dc=x
        logon path = ""
        logon script = netlogon.bat
        remote announce = x.x.x.x/XXXX
        remote browse sync = x.x.x.x
        printcap name = /etc/printcap
        load printers = no
        interfaces = eth2
        bind interfaces only = yes
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w %u


On Fri, Feb 8, 2013 at 2:34 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com>wrote:

> I don't quite understand-  why does the BDC have a dynamic IP address.  Or
> have a I misunderstood?   The DHCP server can provide the IP of the WINS
> servers to DHCP clients.    Are the XP and Win 7 workstations on a separate
> subnet than the servers?
>
> What version are the samba servers?    Do both samba server point to a
> single LDAP server or do they each have their own LDAP server in
> replication?    Does "pdbedit -Lv" show the same accounts on each DC?
> Is it possible that the Windows 7 machine accounts have not replicated to
> the BDC?
>
> Have to specificied the ports in the smb.conf file-  by default samba uses
> ports 137,138, and 445.  In theory you can disable port 445 (it reduces
> some
> the transport warnings) but I find that causes problems with name
> resolution
> when a router or vpn is involved.   So better off just sticking with the
> defaults.
>
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> On Behalf Of David Noriega
> Sent: Friday, February 08, 2013 1:56 PM
> To: samba at lists.samba.org
> Subject: [Samba] BDC Rejecting auth request from client + Windows 7
>
> Just some background: In our environment, we are running both a PDC and
> BDC.
> The local network setup has static ips on a different subnet from dhcp ips,
> thus the PDC has a static ip and the BDC has a dynamic one so the Windows
> machines are able to see the domain without hardcoding in the ip of the PDC
> as a wins on each machine. This has worked fine for Windows XP. We are also
> using ldap as the backend.
>
> Now we have a Windows 7 box and I have followed various instructions and
> modified entries within the registry as everyone else has specified. While
> I
> can join the domain, after reboot I get the trust relationship failed
> error(or on a rare occasion it will say no logon servers available).
> Checking the logs I have mapped out the following:
>
> 1. Win7 client asks to join the domain
> 2. PDC responds and adds machine to ldap 3. Win7 accepts and tests machine
> account 4. BDC rejects auth request 5. Win7 logs this, but still shows
> successful join message and reboots 6. Win7 then refused to login on the
> domain. I can type in gibberish and still get the trust relationship failed
> message.
>
> Here is the following from the BDC:
>
> [2013/02/08 13:11:05.458750,  2] lib/smbldap.c:950(smbldap_open_connection)
>   smbldap_open_connection: connection opened
> [2013/02/08 13:11:05.504483,  2]
> ../libcli/auth/credentials.c:307(netlogon_creds
> _server_check_internal)
>   credentials check failed
> [2013/02/08 13:11:05.504529,  0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
> enticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client CLASSROOM machine account CLASSROOM$
> [2013/02/08 13:11:05.524195,  2]
> ../libcli/auth/credentials.c:307(netlogon_creds
> _server_check_internal)
>   credentials check failed
> [2013/02/08 13:11:05.524235,  0]
> rpc_server/srv_netlog_nt.c:714(_netr_ServerAuth
> enticate3)
>   _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting
> auth request from client CLASSROOM machine account CLASSROOM$
> [2013/02/08 13:11:15.914207,  0] lib/util_sock.c:474(read_fd_with_timeout)
> [2013/02/08 13:11:15.914316,  0]
> lib/util_sock.c:1441(get_peer_addr_internal)
>   getpeername failed. Error was Transport endpoint is not connected
>   read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by
> peer.
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list